JAPAN REGISTRY SERVICES
DNS Anycast Operation of .JP ICANN ccNSO @ Vancouver 30 Nov. 2005 Shinta Sato JPRS
Copyright © 2005 Japan Registry Services Co.,
JAPAN REGISTRY SERVICES
Agenda • • • •
Background Motivations .JP Anycast Overview Anycast management
Copyright © 2005 Japan Registry Services Co.,
2
JAPAN REGISTRY SERVICES
Background • IP anycast is… – A technology to share a single IP address in multiple servers • IGP anycast for inside AS • BGP anycast for outside AS
– DNS service is one of the effective thing to introduce IP anycast • 1 packet udp transaction for both query and response (Response packet may fragment in EDNS0, but still no problem)
• very short tcp session
– IP anycast technology is now being deployed in authoritative name servers • Root servers (C, F, I, J, K, M) • Some TLD servers (.JP, .MX, .DE etc.)
Copyright © 2005 Japan Registry Services Co.,
3
JAPAN REGISTRY SERVICES
BGP Anycast Overview AS 6
AS 5
Incoming query packets from clients in AS5 will go to the nearest node #1 of AS1 via AS2
Incoming query packets from clients in AS6 will go to the nearest node #2 of AS1 via AS3
AS 4
AS 2
AS 3
AS 1 Anycast node #1
AS 1 Both routers announce the same shared unicast IP address by BGP connection for a service address
Copyright © 2005 Japan Registry Services Co.,
Anycast node #2
4
JAPAN REGISTRY SERVICES
IGP Anycast Overview AS 2 A shared unicast IP address is assigned for the service, and is announced by the IGP
AS 3
AS 1
Anycast node #1
AS 4
A shared unicast IP address is assigned for the service, and is announced by the IGP
Anycast node #2
Incoming query packets from the clients will go to the nearest node after it gets in AS1
Copyright © 2005 Japan Registry Services Co.,
AS 5 5
JAPAN REGISTRY SERVICES
Motivations • Common motivations for using DNS anycast are, – – – –
Localize the DoS attack damages Provide nameservers all over the world IPv6 deployment Simple maintenance and recovery
Copyright © 2005 Japan Registry Services Co.,
6
JAPAN REGISTRY SERVICES
Localize the DoS attack damages • IP Anycast can localize the DoS attack damages to the single node. – Other nodes will not be affected from the DoS attack – Only the nearest nodes from the DoS attacker will be damaged – In the DDoS case, if the attackers are gathering in the similar network, affects will be localized too.
Copyright © 2005 Japan Registry Services Co.,
7
JAPAN REGISTRY SERVICES
Provide nameservers all over the world • Placing more nameservers is one of the solutions to increase the stability of the DNS • IP anycast can help to plan the placement of secondary servers – Adding a new anycast node improves the accessibility of the users – Users access only the nearest node
Copyright © 2005 Japan Registry Services Co.,
8
JAPAN REGISTRY SERVICES
IPv6 deployment • Adding IPv6 glue data in the higher level zone decrease the limit number of NS in less than 13 – Number of NS is limited by the DNS response packet size of 512 octets – Serving AAAA (IPv6) information in the glue record require more data size in the additional section than A (IPv4) only
Copyright © 2005 Japan Registry Services Co.,
9
JAPAN REGISTRY SERVICES
Simple maintenance and recovery • IGP anycast can simplify server maintenance – Operator can stop individual server without outage of the service
• BGP anycast can simplify maintenance of the whole site – Operator can shutdown the BGP peer without outage of the service – Useful in the case of network troubles
• Able to rebuild the DNS node without thinking of other infrastructures placed in the same network Copyright © 2005 Japan Registry Services Co.,
10
JAPAN REGISTRY SERVICES
The current situation of .JP • JP DNS servers: – 5 NSes • {a,b,d,e,f}.dns.jp – c.dns.jphas retired in Mar. 2005
– Operated by 5 different organizations, with responsibility of JPRS • All organizations own their networks by their own AS numbers
– Hold numbers of zones • .JP ccTLD zones (1 TLD and 63 SLDs) – 769,445 domains (1 Nov. 2005)
• Also serve 339 of inaddr.arpa zones for JPNIC (NIR) Copyright © 2005 Japan Registry Services Co.,
11
JAPAN REGISTRY SERVICES
Introducing IP anycast servers to .JP • Severe crisis of the power outage in Tokyo (2003)
– JP DNS operators tried to move some of the servers out of Tokyo • Using IP address of their main network prevent us to change the location without changing the IP address at that time • This was the potential problem, which prevent us to recover the DNS without thinking of other infrastructures placed in the same network, even in the severe network trouble
– JP DNS could not add more NSes
• JP DNS operators were thinking of the deployment of IPv6 at that time • 4 IPv6 servers out of 6 NSes is the limit
Fortunately, the power outage did not happen
Copyright © 2005 Japan Registry Services Co.,
12
JAPAN REGISTRY SERVICES
Introducing IP anycast servers to .JP (2) • JP DNS took the following solution – Keep the number of NS in 6 – Move to PI (Provider Independent) addresses and new ASNs if possible – Add more servers using IP anycast technology • Now we have servers in Tokyo, Osaka and US
Copyright © 2005 Japan Registry Services Co.,
13
JAPAN REGISTRY SERVICES
Technical details of a.dns.jp Internet
IX #3
Transit #1
Transit #2
IX #1
IX #2 IPv6 IX
JPRS :transit :peering
BGP BGP router router
BGP BGP router router
switch switch
switch switch Maintenance server
JP DNS
IPv4 Anycast Osaka node
JP DNS
switch switch
switch switch
router
router
Critical Infrastructure Address
Copyright © 2005 Japan Registry Services Co.,
switch Maintenance server
JP DNS IPv6 DNS Tokyo node
IPv4 Anycast Tokyo node
14
JAPAN REGISTRY SERVICES
Concerns of IP Anycast management • IP address issues
– Anycast need PI address or unused /24 address block
• ccTLD can have PI address blocks for their nameservers
– Unicast address still needed for each anycast nodes • To update the zone data, to maintain the servers
– At least 1 NS should remain in unicast (RFC 3258)
• Budget issues
– IP anycast requires transit and / or IX connectivities for each nodes – Maybe expensive for individual service • This network serves only 1 IP address to the public
• Measurement issues
– It is hard to know all the servers are up in anycast address • Checking unicast address is not enough • Multiple measuring address required
Copyright © 2005 Japan Registry Services Co.,
15
JAPAN REGISTRY SERVICES
Nameserver configurations • Multiple addresses are needed in a server – One for IP anycast service – One (or more) unicast address(es) for maintenance and zone update
• Not so much difference from unicast servers – in BIND9, following options should be considered to make zone updates to work • querysource • transfersource • notifysource
Copyright © 2005 Japan Registry Services Co.,
16
JAPAN REGISTRY SERVICES
Consideration points • Local nodes and global nodes – Local nodes are for IX connections • Noexport option in BGP peers
– Global nodes are for transit connections – 2 global nodes and several local nodes may be good – Some trouble may occur by uRPF (unicast Reverse Path Forwarding) • Some ISPs use uRPF technology for very intelligent network filtering
Copyright © 2005 Japan Registry Services Co.,
17
JAPAN REGISTRY SERVICES
Example of IP Anycast effect • DoS like queries in Osaka node did not harm any in Tokyo node
Osaka node
Tokyo node
Copyright © 2005 Japan Registry Services Co.,
18
JAPAN REGISTRY SERVICES
BCPs • Some BCP activities exist – Distributing Authoritative Name Servers via Shared Unicast Addresses • RFC 3258
– Operations of Anycast Services • draftietfgrowanycast02.txt
– BGP Anycast Node for Authoritative Name Server Requirements • draftmorishitadnsopanycastnoderequirements01.txt
Copyright © 2005 Japan Registry Services Co.,
19
JAPAN REGISTRY SERVICES
Appendix: NS maximum number estimation • •
DNS protocol has limitation in UDP response packet size More NSs make .JP DNS more reliable – Name compression
• •
Estimation for .JP (dns.jp) “preferredglue a” and / or EDNS0 may moderate the limitation NS AAAA A Add. Judge 3 3 3 AAAA x3, A x3 Nice 4 3 4 AAAA x3, A x4 Nice 5 3 5 AAAA x3, A x4 OK 6 3 6 AAAA x3, A x3 OK 7 3 7 AAAA x3, A x2 OK 8 3 8 AAAA x3, A x1 OK 9 3 9 AAAA x3, A x0 Bad 10 3 10 AAAA